Classifying user behavior as anomalous

ABSTRACT

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No.17/870,733, filed on Jul. 21, 2022, entitled “Classifying User Behavioras Anomalous”, which is a divisional application of U.S. applicationSer. No. 16/575,279, filed on Sep. 18, 2019, entitled “Classifying UserBehavior As Anomalous”, now U.S. Pat. No. 11,436,530, which is adivisional application of U.S. application Ser. No. 14/810,328, filed onJul. 27, 2015, entitled “Classifying User Behavior As Anomalous”, nowU.S. Pat. No. 10,430,721, the entirety of the disclosure of the priorapplications are herein incorporated by reference.

BACKGROUND

This specification relates to detecting anomalies in large data sets.

Techniques for detecting anomalies in large data sets can be used inmultiple areas of data processing application, including computernetwork security and health care.

SUMMARY

This specification describes how a data processing system can classifyuser behavior as anomalous or not anomalous according to a variety oftechniques that make use of data that indicates resources accessed bythe user in a one or more particular data processing systems. Eventhough a user may have had permission to access all resources accessed,the system can still classify some user behavior as suspicious.

In general, one innovative aspect of the subject matter described inthis specification can be embodied in methods that include the actionsof obtaining user behavior data representing behavior of a user in asubject system, wherein the user behavior data indicates one or moreresources accessed by the user in the subject system and, for eachresource accessed by the user, when the resource was accessed;generating test data from the user behavior data, the test datacomprising a first representation of resources accessed by the userduring a test time period; generating training data from the userbehavior data, the training data comprising a respective secondrepresentation of resources accessed by the user for each of multipletime periods prior to the test time period; generating an initial modelfrom the training data, the initial model having first characteristicfeatures of the training data; generating a resampling model from thetraining data and from multiple instances of the first representationfor the test time period, the resampling model having secondcharacteristic features of the training data and the multiple instancesof the first representation for the test time period; computing adifference between the initial model and the resampling model includingcomparing the first characteristic features of the training data and thesecond characteristic features of the training data and the multipleinstances of the first representation for the test time period; andclassifying the user behavior in the test time period as anomalous basedon the difference between the initial model and the resampling model.Other embodiments of this aspect include corresponding computer systems,apparatus, and computer programs recorded on one or more computerstorage devices, each configured to perform the actions of the methods.For a system of one or more computers to be configured to performparticular operations or actions means that the system has installed onit software, firmware, hardware, or a combination of them that inoperation cause the system to perform the operations or actions. For oneor more computer programs to be configured to perform particularoperations or actions means that the one or more programs includeinstructions that, when executed by data processing apparatus, cause theapparatus to perform the operations or actions.

The foregoing and other embodiments can each optionally include one ormore of the following features, alone or in combination. The userbehavior data comprises user access records that each represent a folderor a file accessed by the user in a file system. The actions includegenerating a first matrix that includes vectors of the training data andN instances of a same vector of the test data; performing principalcomponent analysis on the first matrix to generate a first plurality ofprincipal components of the first matrix; generating a second matrixfrom a plurality of vectors of the training data; and performingprincipal component analysis on the second matrix to generate a secondplurality of principal components of the second matrix, whereincomputing a difference between the initial model and the resamplingmodel comprises computing an angle between one or more of the firstplurality of principal components and the second plurality of principalcomponents. The actions include generating a first matrix that includesvectors of the training data and N instances of a same vector of thetest data; performing singular value decomposition on the first matrixto generate a first plurality of principal components of the firstmatrix; generating a second matrix from a plurality of vectors of thetraining data; and performing singular value decomposition on the secondmatrix to generate a second plurality of principal components of thesecond matrix, wherein computing a difference between the initial modeland the resampling model comprises computing an angle between one ormore of the first plurality of principal components and the secondplurality of principal components.

Another innovative aspect of the subject matter described in thisspecification can be embodied in methods that include the actions ofobtaining a plurality of topics, each topic being data representing aplurality of file types that frequently co-occur in user behavior dataof individual users; obtaining user behavior data representing behaviorof a user in a subject system, wherein the user behavior data indicatesfile types of files accessed by the user in the subject system and whenthe file was accessed by the user; generating test data from the userbehavior data, the test data comprising a first representation of whichtopics the user accessed during a test time period according to the filetypes of the user behavior data; generating training data from the userbehavior data, the training data comprising respective secondrepresentations of which topics the user accessed in each of multipletime periods prior to the test time period; generating an initial SVDmodel from the test data; generating a resampling model from thetraining data from multiple instances of the first representation ofwhich topics the user accessed during the test time period; computing adifference between the initial model and the resampling model; andclassifying the user behavior in the test time period as anomalous basedon the difference between the initial model and the resampling model.Other embodiments of this aspect include corresponding computer systems,apparatus, and computer programs recorded on one or more computerstorage devices, each configured to perform the actions of the methods.

The foregoing and other embodiments can each optionally include one ormore of the following features, alone or in combination. The actionsinclude generating the plurality of topics from file types of filesaccessed by multiple users in the subject system. The actions includegenerating the topics using a topic modeling process including definingeach user to be a document and each file type accessed by each user tobe a term in the corresponding document. Generating the topics using thetopic modeling process comprises generating a predetermined number K oftopics. The actions include iterating over a plurality of candidatevalues of K; and selecting a particular candidate value of K as thepredetermined number K.

Another innovative aspect of the subject matter described in thisspecification can be embodied in methods that include the actions ofobtaining user behavior data representing behavior of a user in asubject system, wherein the user behavior data indicates one or moreresources accessed by the user in the subject system and, for eachresource accessed by the user, when the resource was accessed;generating test data from the user behavior data, the test datacomprising a first representation of resources accessed by the userduring a test time period; generating training data from the userbehavior data, the training data comprising respective secondrepresentations of resource accessed by the user in each of multipletime periods prior to the test time period; generating an initial pathgraph from the training data, wherein the initial path graph comprisesnodes that represent resources accessed by the user in the subjectsystem during one or more time periods represented by the training data,and links between one or more pairs of nodes, wherein each link betweeneach pair of nodes represents that the user accessed a first resourcerepresented by a first node of the pair from a second resourcerepresented by a second node of the pair; generating a test path graphfrom the test data, wherein the test path graph comprises nodes thatrepresent resources accessed by the user in the subject system duringthe test time period, and links between one or more pairs of nodes,wherein each link between each pair of nodes represents that the useraccessed a first resource represented by a first node of the pair from asecond resource represented by a second node of the pair; computing adifference between the initial path graph and the test path graph; andclassifying the user behavior by the user in the test time period asanomalous based on the difference between the initial path graph and thetest path graph.

The foregoing and other embodiments can each optionally include one ormore of the following features, alone or in combination. The userbehavior data comprises user access records that each represent a folderor a file accessed by the user in a file system. Generating the initialpath graph comprises generating the initial path graph from trainingdata of the user and training data of one or more peers of the user inthe subject system. The actions include determining one or more otherusers in the subject system that accessed at least a threshold number ofresources in common with the user during the time periods represented bythe training data; and designating the one or more other users as peersof the user in the subject system. Computing the difference between theinitial path graph and the test path graph comprises computing a Jaccarddistance between the initial path graph and the test path graph, whereinthe Jaccard distance is based on the cardinality of intersecting nodesbetween the initial path graph and the test path graph, and thecardinality of the union of nodes between the initial path graph and thetest path graph. Computing the difference between the initial path graphand the test path graph comprises obtaining weights associated withresources represented by nodes in the initial path graph and the testpath graph; and computing a weighted Jaccard distance between theinitial path graph and the test path graph, wherein the weighted Jaccarddistance is based on a sum of weights for all nodes that occur in theintersection of the initial path graph and the test path graph, and thesum of weights for all nodes that occur in the test path graph. Theactions include assigning higher a weight to a folder in the subjectsystem than a subfolder of the folder in the subject system. The actionsinclude assigning a same weight to all resources in the subject systemthat are above a threshold number of levels in a hierarchy of theresources. The weights are based on a measure of popularity of theresources. The actions include generating a hybrid graph, wherein thehybrid graph comprises user nodes that represent users in the system andresource nodes that represent resources in the system, wherein thehybrid graph includes user-resource links, wherein each user-resourcelink represents a respective user accessing a resource in the system,and resource-resource links, wherein each resource-resource linkrepresents a structure of resources in the system; computing a measureof popularity for one or more resources in the system according to thehybrid graph; selecting one or more nodes having the highest measures ofpopularity; and adding, to the initial path graph for the user, paths toeach of the one or more nodes having the highest measures of popularity.

Particular embodiments of the subject matter described in thisspecification can be implemented so as to realize one or more of thefollowing advantages. The system can classify user access patterns asanomalous even if the patterns have not been seen before, whichrule-based systems cannot do. The system can use test data resampling tomake anomaly detection much more sensitive than previous approaches. Thesystem can generate a user model for each user in the system andautomatically flag a user's behavior as anomalous. The actions of auser's peers can be incorporated in the analysis to reduce falsepositives in anomaly detection. The system can make use of data at amore granular level than previous approaches, e.g., it can use datadescribing folder accesses and file accesses. The system can use topicmodeling to detect when a user is accessing unexpected groups of filetypes.

The details of one or more embodiments of the subject matter of thisspecification are set forth in the accompanying drawings and thedescription below. Other features, aspects, and advantages of thesubject matter will become apparent from the description, the drawings,and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a diagram of an example anomaly detection system.

FIG. 1B is a diagram of a segment node.

FIG. 2 is a flow chart of an example process for classifying user accessrecords as anomalous using a resampling model.

FIG. 3 is a flow chart of an example process for classifying userbehavior as anomalous using a topic model.

FIG. 4 is a flow chart of an example process for classifying userbehavior as anomalous using a path graphs.

FIG. 5A illustrates an initial path graph.

FIG. 5B illustrates an example test path graph.

FIG. 5C illustrates another example test path graph.

FIG. 6 is a flow chart of an example process for determining the mostpopular resources in the subject system.

FIG. 7 illustrates an example hybrid graph.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

FIG. 1A is a diagram of an example anomaly detection system 100. Theanomaly detection system 100 is an example of a computing system thatcan be used to detect anomalous user behavior. In general, the anomalydetection system 100 includes a user device 102, a master node 110, andmultiple segment nodes 114 a, 114 b, through 114 n.

The anomalous user behavior to be detected is typically behavior byusers in a subject system that is distinct from the anomaly detectionsystem 100. For example, the subject system can be a computer networkbelonging to a corporation.

A user of the user device 102 can access data stored in the anomalydetection system 100 by communicating with the master node 110. The userdevice 102 can be a personal computer, smartphone, or any other kind ofcomputer-based device with which a user can interact. For example, auser can query the master node for anomalous user behavior that occurredduring a specified time period, e.g., the previous day or week. Themaster node 110 can then communicate with the segment nodes 114 a-n toobtain an identification of users whose behavior during the specifiedtime period was suspicious, which the master node 110 can thencommunicate to the user device 102.

The master node 110 and each segment node 114 a-n are implemented assoftware installed on one or more physical computers or as softwareinstalled as one or more virtual machines on one or more physicalcomputers, or both. In addition, each segment node 114 a-n may executemultiple segment processes within the segment node. For example, thesegment nodes may be multi-core computers in which each segment processexecutes on a different core. In some implementations, the each physicalsegment nodes has between 8 and 12 segment processes.

The master node 110 is connected to each of the segment nodes 114 a-n,e.g., by one or more communications networks, e.g., a local area networkor the Internet, or by a direct connection. In addition, each of thesegment nodes 114 a-n may be connected to one or more other segmentnodes. The master node 110 assigns each segment node to operate on aportion of the data stored in the anomaly detection system 100.

Each data portion is generally a collection of user behavior data byusers in the subject system. To leverage parallel processing by thesegment nodes 114 a-n, all user behavior data for each distinct user canbe stored in a single portion. However, the segment nodes 114 a-n canalso communicate with each other to share information so that a singlesegment node can obtain all user behavior data for a particular user.

The user behavior data is data representing users accessing resources inthe subject system. For example, the data can represent how many times auser accessed a server, a website, a web page, a file, a directory, adatabase, or any other accessible resource in the subject system.

Each instance of a user accessing a resource is represented in the userbehavior data, e.g., by an access record. An access record can includeinformation describing the resource, the user, and the date and timethat the resource was accessed. The user behavior data may also includeaggregated access records. For example, the user behavior data caninclude, for each user, data representing how many times each resourcewas accessed during a particular time period.

The system 100 can store millions or billions of access records in anyappropriate format. For example, the system can store each access recordas a file in a file system or a line or row of data in a file in a filesystem or a record in a database. The access records can be indexed.

The master node 110 can divide the processing among N segment nodes,e.g., the segment nodes 114 a-n. The segment nodes can obtain the accessrecords by communicating with data nodes in an underlying distributedstorage system, for example, one implementing a Hadoop File System(HDFS). The data is generally partitioned among multiple storage devicesand can be organized by any appropriate key-value storage subsystem. Forexample, the data portions can be table partitions of a relationaldatabase distributed among multiple storage devices, e.g., as part of amassively parallel processing (MPP) database. The data portions can alsobe stored as part of a distributed, non-relational database, e.g., in aHadoop Database (HBase) that organizes data by key-value pairs indistinct column families and distributed across multiple storagedevices. The data portions can also be partitioned to be stored locallyby the segment nodes 114 a-n.

In the example anomaly detection system 100 illustrated in FIG. 1A, themaster node 110 has assigned the segment node 114 a to operate on accessrecords 142 a for a first group of users stored in a first storagesubsystem 132 a of the underlying distributed storage system. Similarly,the master node 110 has assigned the segment node 114 b to operate onaccess records 142 b stored in a second storage subsystem 132 b, and themaster node 110 has assigned the segment node 114 n to operate on accessrecords 142 n stored in an Nth storage subsystem 132 n.

FIG. 1B is a diagram of a segment node 114. Each of the segment nodes114 a-n in the system computes per-user models in parallel. In otherwords, the system generates one or more distinct models for each user ofthe subject system.

Each segment node 114 runs anomaly detection software installed on thesegment node 114 that that receives a user ID 145 assigned by a masternode. The anomaly detection software then obtains the user accessrecords 142 of a user corresponding to the user ID 145 from anunderlying storage subsystem and determines which access records 142 aretraining data and which access records are test data. Some individualaccess records may be used as both training data and test data.

In general, the test data includes a representation of the resourcesaccessed by the user for a recent time period, and the training dataincludes representations of resources accessed for multiple time periodsprior to the time period of the test data. For example, if the timeperiods are weeks of the year, the test data can include arepresentation of resources accessed during a most-recent week, and thetraining data can include representations of resources accessed duringthe previous month or year. The time period corresponding to the testdata may be referred to as the test period.

The test data need not represent a recent time period, however. Forexample, the system can use, as test data, access records for anyappropriate time period in order to identify anomalous behavior thatoccurred in the past.

The anomaly detection software installed on the segment node 114 makesuse of one or more modeling engines 180, 182, and 184 installed on eachsegment node in order to determine whether the user's access records 142reflect anomalous behavior by the user. All of the modeling engines 180,182, and 184, or only some of the modeling engines 180, 182, and 184,may have been installed on any particular segment node.

The segment node 114 can use a resampling model engine 180, whichresamples some of the test data as training data. The resampling modelis described in more detail below with reference to FIG. 2 . The segmentnode 114 can also use a topic model engine 182, which generates a topicmodel based on file types accessed by the user. The topic model isdescribed in more detail below with reference to FIG. 3 . The segmentnode 114 can also use a path graph model engine 184, which builds pathgraphs from training data and test data to determine anomalous behavior.The path graphs are described in more detail below with reference toFIGS. 4-7 .

The system can use the modeling engines 180, 182, and 184 to classifythe test data of the user access records 142 as anomalous or notanomalous. If the test data is classified as anomalous, the segment node114 can generate an anomalous behavior notification 155 and provide thenotification 155 to another node in the system, e.g., back to the masternode 110. The master node 110 can then propagate the notification backto the user device 102.

FIG. 2 is a flow chart of an example process for classifying user accessrecords as anomalous using a resampling model. In general, the systemdetermines how much test data, when resampled multiple times, affectsthe characteristic features of an initial statistical model of theuser's access behavior. The example process will be described as beingperformed by an appropriately programmed system of one or morecomputers.

The system obtains a user's access records (210). As described above,the access records indicate which resources were accessed by a userduring each of multiple time periods.

The system generates a representation of the user's access records(220). In some implementations, the representation is a vector or amatrix, and the system generates a vector for each of several timeperiods. Each position in the vector represents a resource in thesubject system, and each value in the vector represents a number oftimes that the user accessed the resource in the subject system thatcorresponds to the position of the value in the vector.

The system generates an initial model using the training data (230). Asdescribed above, the training data includes representations of theuser's access records for previous time periods.

The system can generate the initial model as any appropriate statisticalmodel for representing characteristic features a data set. In someimplementations, the system represents the data as a matrix and uses anyappropriate matrix factorization technique, e.g., Singular ValueDecomposition (SVD), Principal Component Analysis (PCA), or Non-negativeMatrix Factorization (NMF), to generate the representation of thecharacteristic features of the training data for the user.

For example, the system can generate a matrix X of the access recordvectors from the training data. The system can then perform SVD togenerate a matrix T representing the principal components of X.

The system generates a resampling model from the training data and thetest data sampled multiple times (240). Resampling the test datamultiple times has the effect of magnifying differences between thetraining data and the test data.

For example, if using SVD to generate the resampling model, the systemcan use all vectors of the training data and N instances of the vectorof test data. In other words, the system can generate a matrix X′ thatincludes the vectors of training data and N instances of the vector oftest data. Generally, the matrix X′ will include more columns than thematrix X for the initial model. The system can then perform SVD togenerate a matrix T′ representing the principal components of X′

The system compares the initial model and the resampling model (250).The system can use any appropriate comparison method to determine howdifferent the initial model and the resampling model are, for example,by computing a distance between characteristic features of the models.If using SVD, the system can compute the angle between the principalcomponents for the initial model T and the principal components for theresampling model T.′

The system classifies the user behavior in the test period as anomalousor not anomalous based on the comparison (260). The difference betweenthe initial model and the resampling model will be large whenever thetest data had a more dramatic effect on the resampling model relative tothe initial model. Thus, the test data is more likely to be anomalouswhen the difference is large.

If, however, the difference between the initial model and the resamplingmodel is small, the test data had a minimal impact on the initial modelgenerated from only the training data. Thus, the test data is lesslikely to be anomalous.

The system can thus determine whether the difference between the modelssatisfies a threshold and classify the user behavior as anomalous if thedifference satisfies the threshold.

FIG. 3 is a flow chart of an example process for classifying userbehavior as anomalous using a topic model. In this example process, thesystem represents a user's behavior in the subject system according togroups of related file types accessed by the user, rather than accordingto resources accessed by the user. The groups of related file types canbe represented as topics and the system can classify a user's behavioras anomalous if the test data indicates that the user accessedsubstantially different file types during the test period. The processwill be described as being performed by an appropriately programmedsystem of one or more computers.

The system generates topics from files in the subject system (310). Thesystem can generate topics where each topic represents groups of filetypes that frequently co-occur in user access records of individualusers. Typically, the system generates the topics using user accessrecords from many different users.

In some implementations, the system uses the extension of a file toindicate the type of the file. However, the system may use othermetadata about files in the system to determine file types.

The system can use any appropriate topic modeling technique by treatingeach user as a document and each file type accessed by the user as aterm occurring in the document. The system can use the topic modelingtechnique over all user access records that represent users access filesin the subject system. The result is then a number of topics that eachrepresent frequently occurring file types. The system can assign aunique identifier for each discovered topic.

For example, the system can generate K topics using Latent DirichletAllocation (LDA). LDA takes as an input parameter a number K of topics,and generates a probability distribution for each of the K topics. Eachprobability distribution assigns a likelihood to a particular file typebeing accessed by a user who accesses file types assigned to the topic.

The system can choose a value for K by iterating over candidate valuesfor K and computing the perplexity of the model. The system can choose avalue for K that balances the number of topics in the model and theperplexity of the model.

The system obtains a user's access records (320). The access records canindicate electronic files that were accessed by the user and file typeinformation of the files accessed by the user.

The system generates a representation of the user's access records(330). The system can generate a vector for each of several timeperiods. Each element of the vector represents one of the K topics, andeach value in the vector represents a number of times the user accesseda file type belonging to each of the corresponding topics. In someimplementations, each element represents a number of days in each timeperiod that the user accessed a file type belonging to each of thecorresponding topics.

The system uses an initial SVD model generated from training data toreconstruct the test data (340). As described above, the system can useany appropriate statistical model to represent the characteristicfeatures of the training data and the test data, e.g., SVD or PCA.

The system can similarly use the resampling technique described abovewith reference to FIG. 2 to determine how the initial SVD model changesrelative to a resampling model when the test data is added multipletimes to the training data.

In some implementations, the system can use singular value decomposition(SVD) to compare the models. For example, the system can a matrix X fromthe training data, where each column represents a time period in thetraining data and each row represents one of the K topics. The systemcan then perform SVD to generate a matrix Y. The system can then select,from Y, the top-k right singular column vectors V as beingrepresentative of the user's behavior during the training time period.

The system can then compare the test data, represented as a vector oftraining data by computing a distance D according to:

D=∥x _(t+1) −V×(V ^(T) ×x _(t+1))∥

The system classifies the user behavior in the test period as anomalousor not anomalous based on the comparison (350). If the differencesatisfies a threshold, the system can classify the user behavior asanomalous. Otherwise, the system can classify the user behavior as notanomalous.

FIG. 4 is a flow chart of an example process for classifying userbehavior as anomalous using a path graphs. A path graph is arepresentation of how a user navigated to resources in the subjectsystem during the relevant time periods. If the path graph changessignificantly in the test period, the system can classify the userbehavior as anomalous. The process will be described as being performedby an appropriately programmed system of one or more computers.

The system generates an initial path graph using training data (410). Apath graph represents relationships between resources accessed by theuser in the subject system.

A path graph includes nodes that represent resources accessed by theuser in the subject system. For example, the nodes of the path graph canrepresent folders and files in a file system. The nodes of the pathgraph can also represent web pages maintained by the subject system.

A path graph includes a link between two nodes to represent a useraccessing a one node from another. In other words, the path graphincludes a link to represent a user visiting a first resourcerepresented by a first node, and then visiting a second resourcerepresented by a second node. The links can therefore represent folderand subfolder relationships, links between web pages, symbolic links orshortcuts in a file system, or any other appropriate method foraccessing one resource from another.

FIG. 5A illustrates an initial path graph. In this example, the nodes ofthe path graph represent folders in a file system, and the linksrepresent a user accessing a subfolder from a parent folder.

The initial path graph has a root node 510 representing the “home”directory. The initial path graph also include other nodes 520, 522, and530 representing subfolders of the “home” directory.

A link between the node 510 and the node 520 represents that the uservisited the “home” directory and then visited “folderB” from the “home”directory. Similarly, a link between the node 520 and the node 530represents that the user visited the “subfolderC” directory from the“folderB” directory.

Thus, when the system generates the initial path graph using thetraining data, the resulting initial path graph includes nodesrepresenting resources accessed by the user and links representing howthe user navigated to those resources.

The system can also include data from the user's peers when generatingthe initial path graph. In some instances, using an initial path graphwith data from the user's peers can reduce false positive detections ofanomalous behavior.

A user's peers are generally users in the subject system that have asubstantial overlap with the user in terms of resources accessed. Forexample, a user's peers may be other members on a same team within anorganization or other employees in a same department, location, orcompany.

In some implementations, the system determines the user's peers byidentifying other users having at least a threshold amount of resourceoverlap. In other words, the system uses the training data for all usersin the subject system to compute which other users accessed at least thethreshold amount of resources in common with the user underconsideration, e.g., at least 10%, 50%, or 80% of the same resources.

The system can also use organizational data for an organization owningthe subject system. For example, the system can designate users who arepart of the same team or department as peers. The system can alsodesignate users having the same or similar roles within the organizationto be peers.

After identifying the user's peers, the system can generate the initialpath graph using training data for the user and all of the user's peers.

As shown in FIG. 4 , the system generates a test path graph using testdata (420). The test path graph is a path graph generated from the testdata. As discussed above, the test data may represent resources accessedby the user during a most recent time period. Thus, the test path graphrepresents how the user navigated to resources in the subject systemduring the time period represented by the test data.

FIG. 5B illustrates an example test path graph. The test path graphincludes two new nodes, nodes 540 and 542, and corresponding new links,represented by dashed lines. The new nodes 540 and 542 representresources accessed by the user during the test time period, but notduring the training time periods.

As shown in FIG. 4 , the system compares the initial path graph and thetest path graph (430). The system can use a variety of methods forcomparing the initial path graph and the test path graph. In general,the system computes measure of overlap between the initial path graphand the test path graph. A test path graph that significantly overlapsthe initial path graph is indicative of normal user behavior. On theother hand, a test path graph having many nodes and edges that do notoverlap the initial path graph is indicative of anomalous user behavior.

For example, the system can compute a Jaccard distance D between aninitial path graph, G1, and a test path graph, G2, according to:

${D = {1 - \frac{❘{{G1}\bigcap{G2}}❘}{❘{{G1}\bigcup{G2}}❘}}},$

where ∥G1∩G2| represents the cardinality of the intersection of the setof nodes in G1 and the set of nodes in G2, and |G1∪G2| represents thecardinality of the union of the set of nodes in G1 and the set of nodesin G2.

In some implementations, the system computes a weighted Jaccard distanceaccording to weights to the resources. The system can assign weights tothe resources based on a variety of factors. For example, the system canassign higher weights to resources that include sensitive information,e.g., sensitive corporate or employee data. Thus, the detection ofanomalous behavior becomes more sensitive to a user accessing folderswith higher weights.

The system can also assign weights based on hierarchical relationshipsof the resources. For example, if the resources represent folders andsubfolders, the system can assign a higher weight to a folders than asubfolder of the folder. This makes the detection of anomalous behaviorless sensitive to situations where a user merely accesses a newsubfolder of a folder that the user already accessed. In someimplementations, the system assigns a first weight to all resources thatare above a threshold number of levels in the hierarchy, and a smaller,second weight to all other resources. For example, the system can assigna first weight to a root directory of a file system and all directoriesup to three levels below the root directory. For all other subfolders,the system can assign the second weight.

The system can also assign weights based on the age of resources in thesystem. In some situations, anomalous behavior is more likely to involvenewly created resources than old resources. Thus, the system canincrease the weight assigned to new resources and decrease the weightfor resources as the resources become older.

The system can also assign weights based on a measure of popularity ofthe resources in the subject system. For example, the system can lowerthe weights assigned to popular resources accessed by many users in thesubject system. The system can similarly lower the weights of all childresources of popular resources, e.g., subfolders of popular folders.

After assigning weights to the resources in the system, the system cancompute the weighted Jaccard distance WD according to:

${{WD} = {1 - \frac{\sum\limits_{i \in {{G1}\bigcap{G2}}}w_{i}}{\sum\limits_{i \in {G2}}w_{i}}}},$

where the numerator term represents the sum of weights for all nodesthat occur in the intersection of G1 and G2, and the denominator termrepresents the sum of weights for all nodes that occur in G2.

The system classifies the user behavior in the test period as anomalousor not anomalous based on the comparison (440). If the computed distancebetween the initial path graph and the test path graph is large, theuser behavior is more likely to be anomalous. If the computed distanceis small, the user behavior is less likely to be anomalous. Thus, thesystem can classify the user behavior as anomalous if the computeddistance satisfies a threshold.

Anomalous events typically require follow up by a forensic team of thesubject system. Thus, the system can adjust the threshold for each testtime period based on the anticipated availability of the team toinvestigate the anomalous cases.

For example, the Jaccard distance between the initial path graphillustrated in FIG. 5A and the test path graph illustrated in FIG. 5B isa relatively low 0.333. Therefore, the system may not consider the userbehavior to be anomalous.

FIG. 5C illustrates another example test path graph. The test path graphincludes six new nodes 540, 542, 544, 550, 552, and 554, andcorresponding new links, represented by dashed lines.

The Jaccard distance between the initial path graph illustrated in FIG.5A and the test path graph illustrated in FIG. 5C is a relatively high0.6. Therefore, the system may consider the user behavior to beanomalous.

FIG. 6 is a flow chart of an example process for determining the mostpopular resources in the subject system. The system can take intoaccount which resources are popular when making determinations of userbehavior that is anomalous or not. If a user's behavior is normal butfor accessing a resource that is otherwise popular, the system avoidflagging the users behavior as anomalous. The process will be describedas being performed by an appropriately programmed system of one or morecomputers.

The system generates a hybrid user/resource graph (610). The hybridgraph has two types of nodes, user nodes representing users and resourcenodes representing resources in the subject system. The hybrid graphalso has two types of corresponding links, a resource-resource linkrepresenting a structure of resources in the subject system, and auser-resource link representing a user accessing a resource in thesubject system.

FIG. 7 illustrates an example hybrid graph. The hybrid graph has thesame resource structure as the example graph shown in FIG. 5A, havingfour resource nodes 710, 720, 722, and 730 representing folders in afile system.

The hybrid graph has resource-resource links between resource nodes,which represent the structure of the resources in the system. In thisexample, the resource-resource links represent directory inclusion.

The hybrid graph also includes two user nodes 760 and 762 representingdistinct users in the system. The hybrid graph has user-resource linksthat represent which resources each user accessed.

In this example, the user-resource links are likely to indicate that thehome folder is more popular than the other folders because the homefolder was accessed by more users than the other folders.

As shown in FIG. 6 , the system computes a score for resources in thesystem according to the hybrid graph (620). In general the scorerepresents a measure of popularity for resources in the system based onthe relationships represented by the graph. Thus, resources that areaccessed by more users will have higher scores and resources that areaccessed by fewer users will have lower scores.

In some implementations, the system computes a score having a firstcomponent representing the likelihood of a user performing a randomnavigation through resource-resource links ending up at the node and asecond component representing the likelihood of a user reaching aresource represented by a child node from a resource represented by aparent node of the child node.

The system can iteratively compute the score for each node S(i)according to the following equation:

${{S(i)} = {\frac{\left( {1 - d} \right)}{N} + {d \cdot {\sum\limits_{j}\frac{S(j)}{{out}(j)}}}}},$

where each node j represents another user node or another resource nodehaving a link to the node i, N is the number of nodes in the hybridgraph, and where d is a damping factor. For nodes that do not have anyoutgoing edges, the system can distribute their scores equally among allthe N nodes in the graph.

The system selects resource nodes having the highest scores (630). Thesystem can rank the resources nodes by the computed scores and selectthe highest-ranking resource nodes as being the most popular nodes inthe system. The system can select a predetermined number of thehighest-ranking resource nodes, or alternatively, the system can selectall resource nodes having a score that satisfies a threshold.

The system adds paths to the selected resource nodes to all initial pathgraphs (640). After determining the most popular nodes, the system canadd paths to all of the most popular nodes to the initial path graphsfor all users in the subject system. By doing so, the system treats eachuser as if the user had accessed each of the most popular folders. Whenusing the peer-based approach, the system treats each of the user'speers as if they had accessed each of the most popular folders.

By adding the paths to the most popular folders, the system can reducethe amount of false positives generated due to users visiting foldersthat they don't frequently visit, but which are otherwise popular amongusers in the system.

Embodiments of the subject matter and the functional operationsdescribed in this specification can be implemented in digital electroniccircuitry, in tangibly-embodied computer software or firmware, incomputer hardware, including the structures disclosed in thisspecification and their structural equivalents, or in combinations ofone or more of them. Embodiments of the subject matter described in thisspecification can be implemented as one or more computer programs, i.e.,one or more modules of computer program instructions encoded on atangible non-transitory program carrier for execution by, or to controlthe operation of, data processing apparatus. Alternatively or inaddition, the program instructions can be encoded on anartificially-generated propagated signal, e.g., a machine-generatedelectrical, optical, or electromagnetic signal, that is generated toencode information for transmission to suitable receiver apparatus forexecution by a data processing apparatus. The computer storage mediumcan be a machine-readable storage device, a machine-readable storagesubstrate, a random or serial access memory device, or a combination ofone or more of them. The computer storage medium is not, however, apropagated signal.

The term “data processing apparatus” encompasses all kinds of apparatus,devices, and machines for processing data, including by way of example aprogrammable processor, a computer, or multiple processors or computers.The apparatus can include special purpose logic circuitry, e.g., an FPGA(field programmable gate array) or an ASIC (application-specificintegrated circuit). The apparatus can also include, in addition tohardware, code that creates an execution environment for the computerprogram in question, e.g., code that constitutes processor firmware, aprotocol stack, a database management system, an operating system, or acombination of one or more of them.

A computer program (which may also be referred to or described as aprogram, software, a software application, a module, a software module,a script, or code) can be written in any form of programming language,including compiled or interpreted languages, or declarative orprocedural languages, and it can be deployed in any form, including as astand-alone program or as a module, component, subroutine, or other unitsuitable for use in a computing environment. A computer program may, butneed not, correspond to a file in a file system. A program can be storedin a portion of a file that holds other programs or data, e.g., one ormore scripts stored in a markup language document, in a single filededicated to the program in question, or in multiple coordinated files,e.g., files that store one or more modules, sub-programs, or portions ofcode. A computer program can be deployed to be executed on one computeror on multiple computers that are located at one site or distributedacross multiple sites and interconnected by a communication network.

As used in this specification, an “engine,” or “software engine,” refersto a software implemented input/output system that provides an outputthat is different from the input. An engine can be an encoded block offunctionality, such as a library, a platform, a software development kit(“SDK”), or an object. Each engine can be implemented on any appropriatetype of computing device, e.g., servers, mobile phones, tabletcomputers, notebook computers, music players, e-book readers, laptop ordesktop computers, PDAs, smart phones, or other stationary or portabledevices, that includes one or more processors and computer readablemedia. Additionally, two or more of the engines may be implemented onthe same computing device, or on different computing devices.

The processes and logic flows described in this specification can beperformed by one or more programmable computers executing one or morecomputer programs to perform functions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application-specific integrated circuit).

Computers suitable for the execution of a computer program include, byway of example, can be based on general or special purposemicroprocessors or both, or any other kind of central processing unit.Generally, a central processing unit will receive instructions and datafrom a read-only memory or a random access memory or both. The essentialelements of a computer are a central processing unit for performing orexecuting instructions and one or more memory devices for storinginstructions and data. Generally, a computer will also include, or beoperatively coupled to receive data from or transfer data to, or both,one or more mass storage devices for storing data, e.g., magnetic,magneto-optical disks, or optical disks. However, a computer need nothave such devices. Moreover, a computer can be embedded in anotherdevice, e.g., a mobile telephone, a personal digital assistant (PDA), amobile audio or video player, a game console, a Global PositioningSystem (GPS) receiver, or a portable storage device, e.g., a universalserial bus (USB) flash drive, to name just a few.

Computer-readable media suitable for storing computer programinstructions and data include all forms of non-volatile memory, mediaand memory devices, including by way of example semiconductor memorydevices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks,e.g., internal hard disks or removable disks; magneto-optical disks; andCD-ROM and DVD-ROM disks. The processor and the memory can besupplemented by, or incorporated in, special purpose logic circuitry.

To provide for interaction with a user, embodiments of the subjectmatter described in this specification can be implemented on a computerhaving a display device, e.g., a CRT (cathode ray tube) monitor, an LCD(liquid crystal display) monitor, or an OLED display, for displayinginformation to the user, as well as input devices for providing input tothe computer, e.g., a keyboard, a mouse, or a presence sensitive displayor other surface. Other kinds of devices can be used to provide forinteraction with a user as well; for example, feedback provided to theuser can be any form of sensory feedback, e.g., visual feedback,auditory feedback, or tactile feedback; and input from the user can bereceived in any form, including acoustic, speech, or tactile input. Inaddition, a computer can interact with a user by sending resources toand receiving resources from a device that is used by the user; forexample, by sending web pages to a web browser on a user's client devicein response to requests received from the web browser.

Embodiments of the subject matter described in this specification can beimplemented in a computing system that includes a back-end component,e.g., as a data server, or that includes a middleware component, e.g.,an application server, or that includes a front-end component, e.g., aclient computer having a graphical user interface or a Web browserthrough which a user can interact with an implementation of the subjectmatter described in this specification, or any combination of one ormore such back-end, middleware, or front-end components. The componentsof the system can be interconnected by any form or medium of digitaldata communication, e.g., a communication network. Examples ofcommunication networks include a local area network (“LAN”) and a widearea network (“WAN”), e.g., the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

While this specification contains many specific implementation details,these should not be construed as limitations on the scope of anyinvention or of what may be claimed, but rather as descriptions offeatures that may be specific to particular embodiments of particularinventions. Certain features that are described in this specification inthe context of separate embodiments can also be implemented incombination in a single embodiment. Conversely, various features thatare described in the context of a single embodiment can also beimplemented in multiple embodiments separately or in any suitablesubcombination. Moreover, although features may be described above asacting in certain combinations and even initially claimed as such, oneor more features from a claimed combination can in some cases be excisedfrom the combination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various system modulesand components in the embodiments described above should not beunderstood as requiring such separation in all embodiments, and itshould be understood that the described program components and systemscan generally be integrated together in a single software product orpackaged into multiple software products.

Particular embodiments of the subject matter have been described. Otherembodiments are within the scope of the following claims. For example,the actions recited in the claims can be performed in a different orderand still achieve desirable results. As one example, the processesdepicted in the accompanying figures do not necessarily require theparticular order shown, or sequential order, to achieve desirableresults. In certain implementations, multitasking and parallelprocessing may be advantageous.

What is claimed is:
 1. A method comprising: obtaining a plurality oftopics, each topic being data representing a plurality of file typesthat frequently co-occur in user behavior data of individual users;obtaining user behavior data representing behavior of a user in asubject system, wherein the user behavior data indicates file types offiles accessed by the user in the subject system and when the file wasaccessed by the user; generating test data from the user behavior data,the test data comprising a first representation of which topics the useraccessed during a test time period according to the file types of theuser behavior data; generating training data from the user behaviordata, the training data comprising respective second representations ofwhich topics the user accessed in each of multiple time periods prior tothe test time period; generating an initial SVD model from the testdata; generating a resampling model from the training data from multipleinstances of the first representation of which topics the user accessedduring the test time period; computing a difference between the initialmodel and the resampling model; and classifying the user behavior in thetest time period as anomalous based on the difference between theinitial model and the resampling model.